Executive Summary The Next Generation Identification (NGI) system is a replacement for the FBI’s Integrated Automated Fingerprint Identification System (IAFIS). The FBI’s Criminal Justice Information Services (CJIS) Division, which operated and maintained IAFIS, will continue to advance biometric identification services with NGI’s new functionalities and improvements to existing capabilities. One of NGI’s updated services is the Interstate Photo System (IPS). IPS is a face recognition service that allows law enforcement agencies to search photographs of criminals to assist with identifications. When an authorized law enforcement agency submits a photo image for face recognition, IPS will automatically search through its repository and produce a list of potential candidates. Information returned in the response is provided as an investigative lead only and is not considered to be a positive identification. NGI and IPS are expected to significantly enhance the speed and accuracy of law enforcement identifications, while sufficiently protecting privacy and civil liberties.

Section 1: Description of the Information SystemIntroduction The Criminal Justice Information Services (CJIS) Division has provided state-of-the-art fingerprint identification and criminal history services through its Integrated Automated Fingerprint Identification System (IAFIS) for many years. CJIS has replaced IAFIS and is providing new and enhanced services for fingerprints and other biometrics with the incremental implementation of the Next Generation Identification (NGI) system. This Privacy Impact Assessment (PIA) addresses and updates NGI’s Interstate Photo System (IPS), which consists of both criminal and non-criminal justice (hereinafter “civil”) photos submitted with tenprint fingerprint submissions. 1 The criminal and civil photos are separated into respective Identity Groups to ensure that the photos are properly searched and disseminated. In addition to mugshots, other types of personally identifiable information (PII) can be located in identity records in NGI. The photographs link to other identity records in NGI.

Criminal PhotosA. Criminal Identity Group IAFIS had permitted law enforcement agencies to submit photos associated with arrests (i.e. “mugshots”) and to retrieve those photos with the subjects’ records. NGI continues to permit authorized law enforcement agencies to submit mugshots associated with criminal tenprint transactions for retention in the Criminal Identity Group of IPS. Mugshot photos retained in the Criminal Identity Group of IPS may be retrieved when a law enforcement agency submits tenprint fingerprints (or fewer than tenprint via mobile devices) that match the subject or when the agency requests the photo or the Identity History Summary2 associated with the subject.

However, IAFIS did not have the technical capability to provide law enforcement with a photo search capability of the mugshots. NGI improves upon IAFIS functionality in important ways. First, through NGI, an authorized law enforcement agency now may upload photos, collected pursuant to lawful criminal investigations3 , to search against the mugshots retained in the Criminal Identity Group of IPS. These criminal investigatory photos are called “probe” photos and are not retained in NGI. When a law enforcement officer uploads a probe photo, the automated face recognition software in IPS compares the probe photo against the retained mugshots in order to find likely matches. These likely matches are called “candidate photos” because they serve only as investigative leads, and do not constitute positive identification. If any candidate photos are identified, the law enforcement officer will receive a ranked investigative candidate list of two to fifty photos. At that point, the law enforcement officer will need to conduct additional evaluation and investigation to determine if the candidate photos and the probe photo are the same subject.

A second important technical update to IPS is that law enforcement agencies may perform text-based searching of the Criminal Identity Group of IPS. This searching is performed with biographic/demographic data (e.g. sex, race, age, hair color) rather than the submission of a probe photo. The candidate photos returned in a text-based search may be used to create photo lineups.

B. Unsolved Photo File The Unsolved Photo File (UPF) is a category within IPS that is populated with law enforcement photos of unknown subjects. Authorized law enforcement users may submit photos of unknown subjects for retention in the (UPF) when a search of the Criminal Identity Group has produced no candidates and the subject remains unknown. The UPF are separate files with no known identity match. These photos must be related to investigations of felony crimes against persons as defined by the Uniform Crime Reporting Codes (e.g. criminal homicide, forcible rape, robbery, and aggravated assault)4 . All photos retained in the UPF for one year are required to be validated by the contributors to ensure that the criminal investigation remains active and that the photo remains relevant to the investigation. If the contributors cannot initially validate, the photos will be deleted from the UPF.

All mugshot photos submitted for retention in the Criminal Identity Group will be searched against the UPF. If there is a potential match, the submitter of the UPF photo will receive an Unsolved Biometric Match (UBM) message along with the candidate mugshot photo. he submitter of the UPF photo may then conduct further comparison and investigation to determine if the photos are of the same subject.

In addition, when a law enforcement user uploads a probe photo to search against the Criminal Identity Group, he/she may also request a search of the UPF. The user must affirmatively request the search to include the UPF; otherwise, only a search of the Criminal Identity Group will be performed. If any candidate photos are returned from the UPF, the user conducts morphological analysis5 to determine if the UPF photo is a likely match to his/her probe photo. If there is a likely match, the user must notify CJIS and CJIS will, in turn, inform the submitter of the UPF photo of the likely match. The submitter of the UPF photo will receive a UBM message along with the probe photo. At that point, the law enforcement agencies will coordinate directly with one another. All searches of the UPF are performed with a face recognition algorithm; a text-based search is not available.

C. Scars, Marks, Tattoos, and Symbols The NGI IPS also allows authorized law enforcement agencies to submit photos of scars, marks, and tattoos (SMT) for retention in the Criminal Identity Group. These photos must be associated with criminal tenprint fingerprints. Law enforcement users may only conduct text-based searches of the SMT photos as automated software with image-based recognition is not yet available. Users may use text-based search terms to describe the nature of the tattoo (e.g., Tweety Bird) and the location on the body (e.g., left arm). If any candidate photos are identified, the law enforcement officer will receive a candidate list of 20 to 99 SMT photos. The candidate lists are currently set at a default of a minimum of 20 and a maximum of 99 photos. In the future, as this service becomes operational, the number of candidate photos returned may be further refined. As with the face photos, these SMT photos serve only as investigative leads and do not constitute positive identification.

Civil Photos As described in previous NGI Privacy Impact Assessments6 , the FBI retains and searches civil fingerprints received pursuant to federal statutes, executive orders, state statutes in accordance with Public Law 92-5447 , and other authorities. Civil fingerprints are submitted to the FBI for criminal background checks for noncriminal justice purposes, such as employment and licensing. In some instances, the civil fingerprint contributors may choose to submit the photos of applicants, employees, licensees, and those in positions of public trust. These civil photos (not associated with any criminal history) are maintained in the Civil Identity Group, which is a designation of civil identies for the NGI program. Civil photos are not searched by or against the photos maintained in the Criminal Identity Group and law enforcement users are not permitted to search probe photos against these civil photos using either face recognition or text-based searches. These civil photos are not disseminated to law enforcement agencies or shared with any agency other than the original contributor of the photo. Likewise, the non-criminal justice agencies and entities that submit civil photos are not permitted to perform searches of IPS or the UPF.

When an individual has a record in both the Civil Identity Group and the Criminal Identity Group (e.g. fingerprints collected for employment and, separately, for arrest purposes), all collected biometrics, including photos and biographics that have been submitted by authorized agencies, become associated with the Criminal Identity Group. Therefore, the individual’s photo, although originally submitted for civil purposes, becomes a photo that is searched according to the Criminal Identity Group rules. For example, if a lawyer who has fingerprints and a photo retained in the Civil Identity Group in NGI for bar licensure purposes, also has fingerprints and a photo retained in NGI for an arrest, the lawyer’s civil biometrics become associated with the Criminal Identity Group. Thus, the lawyer’s employment photo may be searched by and returned to a law enforcement user as a criminal identity photo. This enables NGI to function as a “one-identity” system to ensure that the criminal identity records contain the most complete and accurate information regarding the subject.

Although civil photos are not searched against the mugshots in the Criminal Identity Group of IPS, they are searched against the UPF. However, a contributor may opt-out of the search of the UPF if the civil photo is not submitted for retention in NGI. If a civil photo is determined to be a likely match to a photo maintained in the UPF, the response will be suppressed in most instances and the law enforcement officer will not receive the candidate photo. The response is suppressed in this context because searches generally do not return civil photos. In the limited circumstance when the fingerprints submitted with the civil identity match against fingerprints in the Criminal Identity Group, the submitter of the UPF photo will receive notice of the candidate photo. In this example, the civil photo could be a candidate for the UPF only if there are associated criminal fingerprints. As in the example above, the lawyer’s employment photo may be returned as a candidate photo to the UPF submitter because the employment photo has now become part of the Criminal Identity Group following a criminal arrest.

In circumstances where the individual’s identity within the Criminal Identity Group is removed (e.g., expunged), the civil photo will be electronically returned to the Civil Identity Group, and will no longer be searched by and disseminated to law enforcement. If the civil contributor requests removal of the individual’s identity and associated biometrics from the Civil Identity Group, the civil photo will also be removed from the Criminal Identity Group and will no longer be searched by, and disseminated to, law enforcement. As explained in previous NGI Privacy Impact Assessments, the civil contributor is responsible for updating and validating records, as well as affirmatively requesting removal of records and associated biometrics when appropriate. Section 2: Information in the System2.1 Indicate below what information is collected, maintained, or disseminated. (Check all that apply.)

Identifying numbers

Social Security

Alien Registration

Financial account

Taxpayer ID

Driver’s license

Financial transaction

Employee ID

Passport

Patient ID

File/case ID

Credit card

Other identifying numbers (specify): Only the Universal Control Number (UCN), which is the unique identity number in NGI that replaced the FBI number in IAFIS, is associated with the photo in IPS. The UCN links the photo with biographic information stored in the Identity Groups.

General personal data

Name

Date of birth

Religion

Maiden name

Place of birth

Financial info

Alias

Home address

Medical information

Gender

Telephone number

Military service

Age

Email address

Physical characteristics

Race/ethnicity

Education

Mother’s maiden name

Other general personal data (specify):

Work-related data

Occupation

Telephone number

Salary

Job title

Email address

Work history

Work address

Business associates

Other work-related data (specify):

Distinguishing features/Biometrics

Fingerprints

Photos

X

DNA profiles

Palm prints

Scars, marks, tattoos

X

Retina/iris scans

Voice recording/signatures

Vascular scan

Dental profile

Other distinguishing features/biometrics (specify):

System admin/audit data

User ID

X

Date/time of access

X

ID files accessed

X

IP address

X

Queries run

X

Contents of files

X

Other information (specify)

2.2 Indicate sources of the information in the system. (Check all that apply.)

Directly from individual about whom the information pertains

In person

Hard copy: mail/fax

Online

Telephone

Email

Other (specify): Due to the nature of photo collection, the CJIS Division does not obtain face or SMT photos directly from an individual. The NGI IPS will be populated with photos collected by law enforcement and authorized civil partners.

Government sources

Within the Component

X

Other DOJ components

X

Other federal entities

X

State, local, tribal

X

Foreign

X

Other (specify): The photos are collected and submitted to the CJIS Division by local, state, federal, tribal, and some foreign agencies in accordance with their lawful missions.

Non-government sources

Members of the public

Public media, internet

Private sector

Commercial data brokers

Other (specify):

2.3 Analysis: Now that you have identified the information collected and the sources of the information, please identify and evaluate any potential threats to privacy that exist in light of the information collected or the sources from which the information is collected. Please describe the choices that the component made with regard to the type or quantity of information collected and the sources providing the information in order to prevent or mitigate threats to privacy. (For example: If a decision was made to collect less data, include a discussion of this decision; if it is necessary to obtain information from sources other than the individual, explain why.)

Pursuant to its statutory authorities, the FBI has collected, preserved, and exchanged biographic and biometric information, including photos associated with criminal files, for many decades. Therefore, the Criminal Identity Group of IPS does not constitute a new collection type or collection purpose. Instead, IPS provides the significant enhancement of face recognition technology for these criminal photos. The retention of more criminal photos and the searching and dissemination of these photos based on face recognition technology poses a risk of erroneous identification of the subject of the photo. More specifically, face recognition searching of Criminal Identity Group photos could include the risk that the technology may not be sufficiently reliable to accurately locate other photos of the same identity, resulting in an increased percentage of misidentifications.

The FBI recognizes that any new biometric capability must be carefully assessed and tested prior to implementation to ensure sufficient reliability and minimum error. With face recognition algorithms now embedded within the face recognition process, the technology can be evaluated for accuracy. Based on current technology, a face recognition search for a particular subject within the database would, eighty-five percent of the time, return search results that include a photo of that subject as one of the top fifty candidates of a ranked gallery. The National Institute of Standards and Technology (NIST) has published multiple reports evaluating the increasing accuracy and reliability of face recognition technology. Industry standards have been established by NIST and vendors of face recognition software are now in alignment with such standards for accuracy. In 2014, a NIST-published8 report on the performance of face identification algorithms titled Face Recognition Vendor Test (FRVT), NIST Interagency Report 8009, stated that “Face recognition error rates have declined massively in the two decades since initial commercialization of the various technologies. NIST has tracked that improvement and its conduct of regular independent, free, open, and public evaluations has fostered improvements in the state of the art.”

Incorporation of this technology into NGI is likely to provide substantial benefits to law enforcement and national security. In further mitigation of the reliability/accuracy risks, the IPS technology will only be employed as an investigative aid, and not as a means of positive identification. The FBI has promulgated policies and procedures to emphasize that photo matches are not to be considered “positive” identifications, and that searches of the photos will merely result in a ranked listing of candidates. When authorized law enforcement users receive candidate photos from IPS, the search result will include a specific caveat advising that the photos are to be used for investigative lead purposes only, and that further investigation is required to determine the subject’s true identity. In addition, law enforcement users will be trained on system limitations, and to recognize that the aging process and other lifestyle factors reduce the effectiveness of image searching.

Civil Liberties Considerations As noted in the Executive Summary, NGI and IPS are expected to significantly enhance the speed and accuracy of law enforcement identifications, while sufficiently protecting privacy and civil liberties. It is the responsibility of the participating law enforcement agencies to develop appropriate use policies for NGI face recognition results, in accordance with the applicable laws and policies of their relevant governmental jurisdictions. All users must also ensure compliance with the CJIS Security Policy, CJIS User Agreement, and the IPS Policy and Implementation Guide. In order to protect the civil liberties of all Americans, the FBI has required that all appropriate use policies must protect the constitutional rights of all persons and should expressly prohibit collection of probe photos in violation of an individual’s First and Fourth Amendment rights. Although face recognition technology has improved greatly, it does not provide positive identifications and submitters are prohibited from relying solely on IPS face recognition results for law enforcement action. Other indicators and factors must be considered by the submitting agency prior to making identification.

Enhanced Reliability Increases Privacy Protections NGI IPS permits new capabilities for electronic searching of Criminal Identity Group photos using biographic criteria, more precise SMT descriptors, and face recognition technology. Criminal identity photos have always been accessible to authorized NGI users. As noted in the previous NGI IPS PIA, images were functionally obscure due to limitations which provided access only via an individual’s name or identifying number. IPS will thus provide an increased capability to locate potentially related photos (and other records associated with the photos) that might not otherwise be discovered as quickly or efficiently, or might never be discovered at all. However, any potential privacy impact is mitigated by the advantages of being able to better locate responsive information—within information already lawfully acquired by the FBI—permitting better personal identifications and more complete and timely investigative analysis, including more effective and efficient identification of perpetrators and generation of leads to potential suspects. These advantages are protective of privacy, as photo comparisons can provide a means to eliminate misidentifications.

The FBI has historically collected or maintained civil fingerprints and associated biographic and biometric information for such noncriminal justice purposes as employment, licensing, and security clearances. As the NGI system grows, it is expected that many more civil photos will be associated with these civil fingerprint files. Including photos in the Civil Identity Group does not constitute an expansion of the purposes for which the information is being collected, but does result in the retention of a greater number of photos. Increased retention of PII such as face photos presents a correspondingly increased risks that the information may potentially be subject to loss or unauthorized use.

These risks are mitigated by the strong security features and robust audit processes already present in NGI (which are addressed in more detail in Section 6 below). In addition, the system stores information regarding the dissemination of photos and related data for audit logs. Dissemination of information will be linked to the authorized NGI IPS user or the agency that requested the photo. This information can be incorporated into the audit processes and provide an enhanced capability for ensuring the information is being appropriately used and disseminated. Agencies requesting and receiving photos will be subject to training and audit requirements by the applicable CJIS Systems Agency (CSA) and periodic FBI audits.

Another potential risk under the new process stems from the fact that criminal photos may now be submitted without accompanying tenprint fingerprints. Accompanying tenprint fingerprints serve to tie a photo to a single identity positively confirmed by the fingerprints. Under the new process however, photos may be submitted along with a lesser number of fingerprints and/or include reference to an existing UCN. With regard to identification based on less than ten-fingerprints, the FBI considers that the system’s fingerprint technology and technical capacity has sufficiently progressed to permit positive association with an existing identity record based on comparison with an existing tenprint set already associated with the record.

Regarding identification based on UCN, each UCN is tied to a single identity positively identified by fingerprints. However, the submitting agency may not use the correct UCN for the subject of the photo, or the wrong UCN may be submitted due to typographical, clerical, or other error. Submissions including nonexisting/invalid identifying numbers should be rejected by the system. If the FBI receives a valid UCN, but one that does not belong to the subject of the photo, the accompanying photo may be associated with the wrong identity. To mitigate this risk, the FBI intends to execute agreements with submitters of photos without accompanying tenprints. The agreements will require that a submitter verify that fingerprint identifications were performed at the state or agency level prior to submission of the photos to the CJIS Division. The FBI also intends to further reduce this risk via rigorous training, and by both state and federal audits to ensure accuracy. The FBI therefore expects that such situations will be rare, and that prior to the taking of any adverse action against a person, any such erroneous association would be discovered and corrected via comparisons with text-based descriptors, comparisons with other photos of the subject, or, ultimately, through positive fingerprint corroboration. Moreover, the additional photos may also reduce the instances of misidentification by affording more accurate and timely information regarding the appearance of the individual.

The increased retention and searching of photos by NGI IPS presents a privacy risk that the photos will be accessed or searched without authorization, or used for purposes unknown to the individual who provided the photo. The increased retention and searching of photos may also create a risk that the photos will be disseminated for unauthorized purposes, or to unauthorized recipients. However, none of the existing robust IAFIS system security requirements and user rules regarding access and dissemination have changed with this implementation update to NGI. Such risks are mitigated through training and by periodic audits conducted by the FBI to ensure that system searches are relevant and necessary to the person’s official duties. CJIS has an established Audit Unit that regularly visits entities that are authorized to collect and submit photos in an effort to ensure all legislative and agency policy protections are being implemented. Allegations of misuse of CJIS systems, including NGI, are generally referred to the appropriate CJIS Systems Officer (CSO) of the jurisdiction where the misuse occurred, and the FBI responds to all such allegations. For those occasions when records maintained in NGI are improperly accessed or disseminated, both the CJIS Advisory Policy Board and the National Crime Prevention and Privacy Compact Council have established Sanction Committees to address the possible misuse. Dissemination of information is linked to the authorized user and the agency that requested the information. The system also stores information regarding the dissemination of photos and related information in audit logs.

The privacy risk of maintaining erroneous photos or information associated with photos is further mitigated by the FBI’s substantial interest in ensuring the accuracy of the information in the system. The Bureau takes action to correct any erroneous information of which it may become aware. Additionally, the risk is mitigated because the maintenance and dissemination of information must comply with the provisions of any applicable law, regulation, or policy, including the Privacy Act of 1974. Among other requirements, the Privacy Act obligates the FBI to make reasonable efforts to ensure the information that it disseminates to non-federal agencies is accurate, complete, timely, and relevant. Privacy risks are further reduced to the extent that an agency that contributes information to NGI has a process in place for access to or correction of the contributing agency’s source records. Section 3: Purpose and Use of the System 3.1 Indicate why the information in the system is being collected, maintained, or disseminated. (Check all that apply.)

Purpose

X

For criminal law enforcement activities

X

For civil enforcement activities

For intelligence activities

For administrative matters

X

To conduct analysis concerning subjects of investigative or other interest

To promote information sharing initiatives

To conduct analysis to identify previously unknown areas of note, concern, or pattern.

For administering human resources programs

For litigation

X

Other (specify): homeland/national security

3.2 Analysis: Provide an explanation of how the component specifically will use the information to accomplish the checked purpose(s). Describe why the information that is collected, maintained, or disseminated is necessary to accomplish the checked purpose(s) and to further the component’s and/or the Department’s mission.

As listed in Section 3.3, the FBI has statutory authority to collect, preserve, and exchange biographic and biometric information for criminal, civil, and national security purposes. Pursuant to that authority, NGI’s mission is to reduce terrorist and criminal activities by improving and expanding biometric identification and criminal history information services. NGI IPS will have a direct impact on the law enforcement community by assisting in the disruption and deterrence of criminal activity and terrorism by providing photos as investigative leads to federal, state, local, and tribal law enforcement agencies. Increasing the number of mugshots in IPS will enhance the text-based physical descriptions already present in NGI and expand the number of searchable photos. Although civil photos are not searched, maintenance of the photos increases the accuracy of the files on individuals and assists authorized non-criminal justice users to augment their files of individuals in positions of trust. 3.3 Indicate the legal authorities, policies, or agreements that authorize collection of the information in the system. (Check all that apply and include citation/reference.)

3.4 Indicate how long the information will be retained to accomplish the intended purpose, and how it will be disposed of at the end of the retention period. (Reference the applicable retention schedule approved by the National Archives and Records Administration, if available.)

The NGI data, including the photos in IPS, will be retained in accordance with the applicable retention schedules approved by the National Archives and Records Administration (NARA). NARA has approved the destruction of fingerprint cards and associated information, including photos, when criminal and civil subjects attain 110 years of age or seven years after notification of death with biometric confirmation. NARA has determined automated FBI criminal history information and NGI transaction logs are to be permanently retained. All biometrics may be removed from NGI earlier than the standard NARA retention period pursuant to a request by the submitting agency or the order of a court of competent jurisdiction. 3.5 Analysis: Describe any potential threats to privacy as a result of the component’s use of the information, and controls that the component has put into place to ensure that the information is handled, retained, and disposed appropriately. (For example: mandatory training for system users regarding appropriate handling of information, automatic purging of information in accordance with the retention schedule, etc.)

The retention and searching of face and SMT photos described in this PIA are subject to the same comprehensive security protections, access limitations, and quality control standards already in existence for IAFIS and further augmented by NGI. Access to NGI is controlled through extensive, long-standing user identification and authentication procedures. Stringent processes are in place to ensure that only authorized users have access to the system, and the information is verified through audit logs detailing an authorized user’s or agency’s search and retrieval of the biometric data. The CJIS Division Audit Unit conducts periodic internal and external on-site audits of user agencies to assess and evaluate compliance with the CJIS Division Security Policy and applicable laws. Agencies requesting and receiving biometric identifications will be trained by the CJIS Systems Agency, which has overall responsibility for the administration and usage of the CJIS programs that operate in a particular state. Records will be purged from the system upon request of the submitting agency or as a result of a court order. Section 4: Information Sharing4.1 Indicate with whom the component intends to share the information in the system and how the information will be shared, such as on a case-by-case basis, bulk transfer, or direct access.

Recipient

How information will be shared

Case-by-case

Bulk transfer

Direct access

Other (specify)

Within the component

X

DOJ components

X

Federal entities

X

State, local, tribal gov’t entities

X

Public

Private sector

Foreign governments

X

Canada

Foreign entities

X

Other (specify):

4.2 Analysis: Disclosure or sharing of information necessarily increases risks to privacy. Describe controls that the component has put into place in order to prevent or mitigate threats to privacy in connection with the disclosure of information. (For example: measures taken to reduce the risk of unauthorized disclosure, data breach, or receipt by an unauthorized recipient; terms in applicable MOUs, contracts, or agreements that address safeguards to be implemented by the recipient to ensure appropriate use of the information–training, access controls, and security measures; etc.)

The Criminal Identity face and SMT photos are available to Department of Justice (DOJ) components when there is a need for the information in order to perform official duties, pursuant to 28 U.S.C. § 534 and the Privacy Act of 1974, 5 U.S.C.§ 552a(b)(1). For example, the FBI shares information with the National Security Division, Criminal Division, as well as internal DOJ components such as the United States Marshals Service, the Drug Enforcement Administration, the Bureau of Prisons, the Bureau of Alcohol, Tobacco, Firearms, and Explosives. Information is disclosed only to DOJ users who have been authorized access to the information in the NGI system.

Criminal Identity face and SMT photos will also be shared with federal, local, state, tribal, foreign, international, and joint agencies for criminal justice initiatives and national security matters as permitted by federal and state statutes, federal and state executive orders, or regulation or order by the Attorney General. NGI will maintain photos provided only by authorized agencies, which are responsible for ensuring that accurate and complete biographic and biometric information is submitted in the first instance, in accordance with CJIS data quality standards and operating policies. Privacy protection is also provided by 28 U.S.C. § 534, which states that the dissemination of information under its authority is subject to cancellation if it is disclosed outside the receiving agency or related agencies. 28 CFR § 20.33 provides supplemental guidance regarding the dissemination of criminal history record information, including identification of authorized recipients and potential sanctions for unauthorized disclosures. These privacy protections are in addition to privacy provisions of the Privacy Act of 1974. These restrictions are, in turn, reflected in long-standing and extensive system security standards and operating policies applicable to all system users. In addition, authorized users must comply with applicable security and privacy protocols addressed in the CJIS Security Policy. CJIS User Agreements and Outsourcing Standards also define parameters to information sharing. Federal and state audits are performed to ensure compliance. The CSO is responsible for implementing and ensuring compliance with the CJIS Security Policy.

The main method for the transmission of biometric submissions is electronically, via the CJIS Wide Area Network (WAN), a telecommunications infrastructure that connects authorized agencies to the CJIS host computer systems. The purpose of the CJIS WAN is to provide a secure transport mechanism for CJIS criminal history record information and biometric-related information. The WAN provides direct and indirect electronic access to FBI identification services and data for numerous federal, state, and local law enforcement and authorized non-law enforcement agencies in all fifty states. Agencies transmit and, in turn, CJIS responds via the CJIS WAN. The CJIS WAN transmission hardware is configured by FBI personnel, transmission data to and from CJIS is encrypted, and firewalls are mandated and in place. Electronically, the biometrics will be supported through the Electronic Biometric Transmission Specification (EBTS), which currently supports fingerprint, palm print, latent submissions, and face photos. The EBTS provides proper methods for external users to communicate with the CJIS systems for the transmission of biographic and biometric information for purposes of criminal or civil identification.

CJIS provides training assistance and up-to-date materials to each CSO and periodically issues informational letters to notify authorized users of administrative changes affecting the system. CSOs at the state and federal level are responsible for the role-based training, testing, and proficiency affirmation of authorized users within their respective states/federal agencies. All users must be trained within six months of employment and biennially re-tested thereafter. Access to NGI will be permitted to the same users who had access to IAFIS; this initiative does not change the procedures that are used to determine which users may access the system.

Authorized users will have the ability to directly enroll biometrics into, or delete biometrics from, existing files within NGI based on their roles. The systems are not available to users unless there has been an application for, and assignment of, an Originating Agency Identifier (ORI) unique to each using entity. Each using entity may only access the types of information for the purposes that have been authorized for its ORI. Such access is strictly controlled and audited by CJIS. State and federal CSOs must apply to the CJIS Division for the assignment of ORIs and CJIS staff evaluates these requests to ensure the agency or entity meets the criteria for the particular type of ORI requested. CJIS maintains an index of ORIs and logs each dissemination of identification records to the applicable ORI. Full access ORIs are provided to criminal justice agencies and other agencies as directed by federal legislation for criminal justice purposes. Limited access ORIs are provided to noncriminal justice agencies requiring access to FBI-maintained records for official and authorized purposes. Most non-criminal justice agencies and entities have been assigned limited access ORIs and are entitled to criminal history information after first submitting fingerprints and identifying the authority for such submissions.

Like IAFIS, the NGI System Design Document included requirements to maintain chronological transaction audit logs for authorized purposes. All users are subject to periodic on-site audits conducted by both a user’s own oversight entity and the FBI CJIS Division Audit Unit. The audits assess and evaluate users’ compliance with CJIS technical security policies, regulations, and laws applicable to the criminal identification and criminal history information (CHRI), and terms of the applicable user agreements or contracts. Deficiencies identified during audits are reported to the CJIS Division Advisory Policy Board (APB) and Compact Council Sanctions Committees. The APB is set up pursuant to the Federal Advisory Committees Act and is comprised of representatives from federal, state, and local criminal justice agencies who advise the Director of the FBI in the development of policies concerning criminal history record information. The Compact Council was created pursuant to the National Crime Prevention and Privacy Compact Act of 1998. It facilitates the sharing of CHRI for noncriminal justice purposes. Access may be terminated for improper access, use, or dissemination of system records. In addition, each Information System Security Officer (ISSO) is responsible for ensuring that operational security is maintained on a day-to-day basis. Adherence to roles and rules is tested as part of the security certification and accreditation process.

Internal users of the system—all FBI employees and contractor personnel—must complete annual information security and privacy training. The training addresses the roles and responsibilities of the users of FBI systems, and raises awareness of the sensitivity of the information contained therein and how it must be handled to protect privacy and civil liberties.

Section 5: Notice, Consent, and Redress

5.1 Indicate whether individuals will be notified if their information is collected, maintained, or disseminated by the system. (Check all that apply.)

X

Yes, notice is provided pursuant to a system of records notice published in the Federal Register and discussed in Section 7. Further notice will be provided by this PIA.

X

Yes, notice is provided by other means.

Specify how: Civil applicants whose photos are submitted to NGI will be provided with notice via a Privacy Act statement on a hard copy or electronic form. Notice is also given by the publication of this PIA.

X

No, notice is not provided.

Specify why not: Individuals in the Criminal Identity Group will not receive additional notice because notice is not generally provided to subjects of mugshots.

5.2 Indicate whether and how individuals have the opportunity to decline to provide information.

X

Yes, individuals have the opportunity to decline to provide information.

Specify how: Civil applicants may decline to submit photos; however, agencies may require photos as a prerequisite for employment and licensing.

X

No, individuals do not have the opportunity to decline to provide information.

Specify why not: Individuals in the Criminal Identity Group cannot decline to submit photos because arrested individuals do not have the opportunity to decline mugshots.

5.3 Indicate whether and how individuals have the opportunity to consent to particular uses of the information.

X

Yes, individuals have an opportunity to consent to particular uses of the information.

Specify how: See Section 5.2.

X

No, individuals do not have the opportunity to consent to particular uses of the information.

Specify why not: See Section 5.2.

5.4 Analysis: Clear and conspicuous notice and the opportunity to consent to the collection and use of individuals’ information provides transparency and allows individuals to understand how their information will be handled. Describe how notice for the system was crafted with these principles in mind, or if notice is not provided, explain why not. If individuals are not provided the opportunity to consent to collection or use of the information, explain why not.

A person under arrest or the subject of a criminal or national security investigation generally has no opportunity or right to refuse the collection of biometrics. Nevertheless, any criminal or national security uses of the information must comply with the provisions of any applicable law, including the Privacy Act. Civil applicants may be required to submit a face photo as a condition for employment or licensing; however, the choice to apply for the employment and licensing is voluntary. The privacy impact associated with lack of notice to affected individuals about the collection, maintenance, and use of additional biometrics is addressed by general notice to the public via the published System of Record Notice (SORN), PIAs, and other Privacy Act notices.

Title 28 C.F.R. part 16, subpart A, provides general guidance on access to information in FBI files pursuant to the Freedom of Information Act, and 28 C.F.R. part 16, subpart D, provides general guidance regarding access to, and amendment of, information in FBI files pursuant to the Privacy Act. However, certain NGI records are exempt from the access and amendment provisions of the Privacy Act. (See 28 C.F.R. § 16.96 (e) and (f)). Title 28 C.F.R. §§ 16.30-16.34 and § 20.34 establish alternative procedures for a subject of an FBI criminal identification record to obtain a copy of his record for review and correction. If, after reviewing his identification record, the individual believes that it is incorrect or incomplete in any respect and requests changes, corrections, or updating, he may submit an application directly to the agency that contributed the questioned information. The individual may also direct his challenge to the FBI CJIS Division. The FBI will then forward the challenge to the agency that submitted the data requesting that agency to verify or correct the challenged entry.

The opportunity to seek access to or redress of information in the source records of a contributing local, state, federal, or tribal agency will be controlled by the laws and procedures applicable to that agency. To the extent that such an agency has a process in place for access to or correction of the contributing agency’s source records, individuals may avail themselves of that process. If the process results in a correction of the source records, the contributing agency should, in turn, make appropriate corrections in the information contributed to NGI.

Officials making the determination of suitability for licensing or employment must provide the applicants the opportunity to challenge the accuracy of information contained in the FBI identification record. These officials must advise the applicants that procedures for obtaining a change, correction, or updating of an FBI identification record are set forth in Title 28 CFR § 16.34. Officials making such determinations should not deny the license or employment based on information in the record until the applicant has been afforded a reasonable time to correct or complete the record (See 28 CFR § 50.12).

The risk of erroneous information is mitigated because the FBI has a substantial interest in ensuring the accuracy of information in the system, and in taking action to correct any erroneous information of which it may become aware. Additionally, the risk is mitigated because the maintenance and dissemination of information must comply with the provisions of any applicable law, regulation, or policy, including the Privacy Act. Among other requirements, the Privacy Act obligates the FBI to make reasonable efforts to ensure the information that it disseminates to non-federal agencies is accurate, complete, timely, and relevant. This risk is further mitigated to the extent that an agency that contributes information to NGI has its own process in place for access to, or correction of, the contributing agency’s source records. Section 6: Information Security6.1 Indicate all that apply.

X

A security risk assessment has been conducted. January 2014

X

Appropriate security controls have been identified and implemented to protect against risks identified in security risk assessment. Specify: Controls are documented in the NGI Security Requirements Traceability Matrix (SRTM).

X

Monitoring, testing, or evaluation has been undertaken to safeguard the information and prevent its misuse. Specify: Full testing was conducted in January 2014. The system is further evaluated quarterly to ensure safeguards remain in place.

X

The information is secured in accordance with FISMA requirements. Provide date of most recent Certification and Accreditation: May 2013

X

Auditing procedures are in place to ensure compliance with security standards. Specify, including any auditing of role-based access and measures to prevent misuse of information: As NGI is the replacement system for IAFIS, auditing for NGI is being conducted in the same manner as it was for IAFIS.

X

Contractors that have access to the system are subject to provisions in their contract binding them under the Privacy Act. Contractors provide a variety of general support and development services for NGI and in some cases have access to system data. The extent of access will vary based on the nature of the contract requirements and will be subject to appropriate non-disclosure and use limitations. Existing contracts contain appropriate security requirements and are subject to extensive privacy protections built into the existing infrastructure and policies, such as limited access, secure location, audits, and Privacy Act clauses required by the Federal Acquisition Regulation.

X

Contractors that have access to the system are subject to information security provisions in their contracts required by DOJ policy.

X

The following training is required for authorized users to access or receive information in the system:

X

General information security training

X

Training specific to the system for authorized users within the Department.

X

Training specific to the system for authorized users outside of the component.

Other (specify):

6.2Describe how access and security controls were utilized to protect privacy and reduce the risk of unauthorized access and disclosure.

Please see Section 4.2 for specific access and security control descriptions. In addition, the NGI system NIST 800-53 security control baseline is at the HIGH impact level of assurance. Security controls are continually assessed during the development life cycle for compliance and to ensure appropriate mitigation strategies have been implemented commensurate with the HIGH impact level of assurance. Section 7: Privacy Act 7.1 Indicate whether a system of records is being created under the Privacy Act, 5 U.S.C. § 552a. (Check the applicable block below and add the supplementary information requested.)

X

Yes, and this system is covered by an existing system of records notice. Provide the system name and number, as well as the Federal Register citation(s) for the most recent complete notice and any subsequent notices reflecting amendment to the system: The FBI has notified the public that it maintains identification records for various categories of individuals. (See “Fingerprint Identification Records System” (FIRS) (JUSTICE/FBI-009) (64 Fed. Reg. 52343, 52347 (Sept. 28, 1999); 66 Fed. Reg. 33558 (June 22, 2001); 70 Fed. Reg. 7513, 7517 (Feb. 14, 2005); 72 Fed. Reg. 3410 (Jan. 25, 2007).

X

Yes, and a system of records notice is in development. A new/updated SORN will be published in coordination with the final deployment of NGI, and will include the retention and searching of criminal photos and SMT images and the retention of civil photos.

No, a system of records is not being created.

7.2 Analysis: Describe how information in the system about United States citizens and/or lawfully admitted permanent resident aliens is or will be retrieved.

Information pertaining to US citizens and permanent resident aliens will be retrieved by fingerprints and other biographic and biometric identifiers, as explained in Section 1, Description of the Information System. For purposes of access and retrieval, NGI will make no distinction based on an individual’s citizenship or residence.

1 The PIA for the Facial Analysis, Comparison, and Evaluation (FACE) Services Unit of the FBI was finalized on May 1, 2015. The FACE Services Unit is an internal face recognition service only available to FBI agents and analysts. It is important to note that the Face Services system is not part of the NGI system.

2An Identity History Summary is the new term for criminal history record (i.e. rap sheet) because NGI now contains identity-based records, which may contain criminal and/or civil information.

3Each jurisdiction must comply with its own legal requirements, as well as Constitutional restraints, regarding the searching of probe photos against IPS.

4Although felony definitions may vary from state to state, the UPF will use the definitions set out in the Uniform Crime Reporting Codes.

5Morphological analysis is based on the assessment and comparison of correspondence of the shape, appearance, presence and/or location of facial features. These features include global (corresponding to the overall face), local (including anatomical structures such as the nose or mouth and their components, e.g., nose bridge, nostrils, ear lobes) and discriminating characteristic facial marks, such as scars or moles.

7Pursuant to Pub. L. 92-544, the FBI may exchange identification records with officials of state and local governments for purposes of licensing and employment if authorized by a state statute which has been approved by the Attorney General of the United States. In this context the Attorney General approves the statutes in this limited circumstance. This authority has been delegated to the FBI.

8NIST is an agency of the U.S. Department of Commerce and one of the nation’s oldest physical science laboratories. The National Technology Transfer and Advancement Act of 1997 gave NIST the job of coordinating the government’s development and use of technical standards and aligning these activities with the private sector. One of NIST’s three mission-driven focus areas include developing needed standards for technology. NIST employs scientists and engineers that publish professional journal articles, technical reports, and Standard Reference Materials.